U.S. Department of Health and Human Services

Public Comments: May 2009 – WPF files comments with HHS regarding data breach guidance

The World Privacy Forum filed comments with the Department of Health and Human Services today regarding the HITECH Act guidance that HHS published along with a request for comments. The Forum urged the Department to tighten its proposed guidance, and to add more protections, oversight, and rules for “limited data set” breaches.

CVS Caremark pharmacy chain agrees to pay $2.25 million to settle charges of HIPAA violations; also settles with the FTC

Medical privacy | HIPAA | FTC — According to a legal complaint, CVS pharmacies — the largest pharmacy chain in the United States — did not take appropriate steps to protect its customers’ and employees’ sensitive information when it improperly disposed of documents, labels, prescription bottles, and other items with clearly identifiable and highly sensitive personal information such as SSNs, prescription information, driver’s license numbers, and other information still on those materials. CVS agreed to pay $2.25 million to settle its violations of HIPAA as part of a Resolution Agreement with the Department of Health and Human Services. CVS has also signed a consent agreement with the FTC; the public can comment on this agreement until March 20, 2009. The World Privacy Forum will be filing comments with the FTC on the consent agreement with CVS, which we will post here.

Public Comments: December 2008 – GINA – Genetic Information Nondiscrimination Act

In response to a Request for Information (RFI) from U.S. federal agencies regarding the recently passed GINA (Genetic Information Nondiscrimination Act), the World Privacy Forum filed a detailed response with suggestions on what aspects of GINA need clarification. The comments focus on a number of privacy issues the RFI raised, including model privacy notices and the issue of what the GINA statute calls “incidental collection” of genetic information. Currently, GINA states that some kinds of information are exempted from being considered as regulated for medical underwriting purposes. For example, medical information gleaned about patients for underwriting purposes from medical databases is regulated. But medical information gleaned about patients for underwriting purposes from, for example, marketing lists containing robust patient information may be unregulated if the law is not clarified in the regulatory process. The World Privacy Forum urged HHS and the Department of Labor to substantially clarify what constitutes “incidental collection,” and urged the agencies to consider lists containing identifiable patient information to be considered in the same category as a “medical database.”

World Privacy Forum Publishes Red Flag Rule Suggestions for Hospitals and Providers; new FTC-enforced rules go into effect Nov. 1, can apply to health care providers

SAN DIEGO, Ca., Sept. 24 — The World Privacy Forum’s latest report, Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers, discusses the applicability of the new FTC regulations to the health care sector along with suggestions for providers. The report addresses newly issued regulations by the Federal Trade Commission that require financial institutions and creditors to develop and implement written identity theft prevention programs. Health care providers – whether they are for-profit, non-profit, or governmental entities – may have obligations under the new rules.